Windows Analysis Report
QT_0948765446-NMPMUST-9876563783.exe

Overview

General Information

Sample Name:	QT_0948765446-NMPMUST-9876563783.exe
Analysis ID:	628420
MD5:	155a8b146f63fcecc360cc1162974373
SHA1:	7abaf8a0df564b853227fdb8a614e7f8ba3edd15
SHA256:	361deb3d9ef665902441a554d099bd5e43266cd6320ef84facacdee256d325bd
Infos:

Detection

GuLoader

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

PE file does not import any functions

PE file contains strange resources

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

PE file contains more sections than normal

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000000.00000002.957100646.0000000003370000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=15pFGBWcJey0L1ljJmoCXsS1qG0k_QM5X"}

Uses 32bit PE files

Source: QT_0948765446-NMPMUST-9876563783.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: QT_0948765446-NMPMUST-9876563783.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D74
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,	0_2_0040699E
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=15pFGBWcJey0L1ljJmoCXsS1qG0k_QM5X

Source: QT_0948765446-NMPMUST-9876563783.exe

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe

Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405809

Uses 32bit PE files

Source: QT_0948765446-NMPMUST-9876563783.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

PE file does not import any functions

Source: library.dll.0.dr

Static PE information: No import functions for PE file found

PE file contains strange resources

Source: QT_0948765446-NMPMUST-9876563783.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: QT_0948765446-NMPMUST-9876563783.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: QT_0948765446-NMPMUST-9876563783.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe

Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403640

Detected potential crypto function

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Code function: 0_2_00406D5F		0_2_00406D5F
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Code function: 0_2_739B1BFF		0_2_739B1BFF

PE file contains more sections than normal

Source: libpixbufloader-tiff.dll.0.dr

Static PE information: Number of sections : 11 > 10

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe

Process Stats: CPU usage > 98%

Source: library.dll.0.dr

Static PE information: Section .rsrc

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe

File read: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe

Jump to behavior

Source: QT_0948765446-NMPMUST-9876563783.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe

0_2_00403640

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe

File created: C:\Users\user\AppData\Local\Temp\nsvF5A7.tmp

Jump to behavior

Source: classification engine

Classification label: mal64.troj.evad.winEXE@1/11@0/0

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe

Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404AB5

Source: QT_0948765446-NMPMUST-9876563783.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.957100646.0000000003370000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe

Code function: 0_2_739B30C0 push eax; ret

0_2_739B30EE

PE file contains sections with non-standard names

Source: libpixbufloader-tiff.dll.0.dr

Static PE information: section name: .xdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe

Code function: 0_2_739B1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_739B1BFF

Drops PE files

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	File created: C:\Users\user\AppData\Local\Temp\library.dll	Jump to dropped file
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	File created: C:\Users\user\AppData\Local\Temp\nsmF740.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	File created: C:\Users\user\AppData\Local\Temp\libpixbufloader-tiff.dll	Jump to dropped file

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe

RDTSC instruction interceptor: First address: 0000000003370556 second address: 0000000003370556 instructions: 0x00000000 rdtsc 0x00000002 cmp bl, cl 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F4324C6B594h 0x00000008 test cl, dl 0x0000000a test cl, cl 0x0000000c inc ebp 0x0000000d inc ebx 0x0000000e rdtsc

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\library.dll			Jump to dropped file
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libpixbufloader-tiff.dll			Jump to dropped file

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D74
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,	0_2_0040699E
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe	API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe

Code function: 0_2_739B1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_739B1BFF

Source: C:\Users\user\Desktop\QT_0948765446-NMPMUST-9876563783.exe

0_2_00403640

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	628420
Product:	CloudBasic
Start time:	16:39:40
Start date:	17.05.2022
Sample:	QT_0948765446-NMPMUST-9876563783.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	155a8b146f63fcecc360cc1162974373
SHA1:	7abaf8a0df564b853227fdb8a614e7f8ba3edd15
SHA256:	361deb3d9ef665902441a554d099bd5e43266cd6320ef84facacdee256d325bd
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\ArtDeco_green_22.bmp	PNG image data, 110 x 110, 8-bit/color RGB, non-interlaced	C9E51CDC81D062234E363D135F53D582	BBF061CB6C6E6C85A0FBEC058F2DC27DE7A56BC9	599388CC93E8D2AE04325F6A692B31E6CBCFEE9D11FEA4A22E8FE31E1FF89AA2
C:\Users\user\AppData\Local\Temp\applications-engineering.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	DA02560CE065ED9F812FC23B6AF4E2C6	1A05DEAA45D137500AE2279C5EB608FD8F77B1F8	2BEC36AB11AA5A8328257C4A9D1F268805451983D5AAC657E098C9FC386574F6
C:\Users\user\AppData\Local\Temp\document-print-preview-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	0D79E9D00775B587F7DDC07F85581167	E094329B29C52656965AF26D944CBC8B753B831A	3A431205D5999B6CE43AFE3E3F553BEB46C95B40F202880E8B6A404593A138B5
C:\Users\user\AppData\Local\Temp\flugters.GLA	data	DB1F8338E32AEA828E5F3BC1E479EA4D	D0EC5F2CC0A8A865F7420C5185F39D406DA0523C	847653D9662EB47618CADA712604EFAD95A9093844A40C60546F97D7604208F9
C:\Users\user\AppData\Local\Temp\libpixbufloader-tiff.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	9174157F50762DD5D6E160C7E0DDADF1	D9E0BA6AA58B561D25C5A122A842A7B5DE1D47A4	80495E26F7ACE00DDE275B5C96292C7C31AF65AC7732D42D4E626EDE68F8C7F8
C:\Users\user\AppData\Local\Temp\library.dll	PE32 executable (GUI) Intel 80386, for MS Windows	56D41F7E91B9DCD5E8AF747A13C6004B	C59F6AE0DE9D72F3046293E9CEE3A8E5077A3F58	9B8494152724313033EE4A2C2112212816F9C11AB5DEF42D3325617ADFF6DE49
C:\Users\user\AppData\Local\Temp\mail-attachment-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	659220014DDED044AE048DE1F707787D	32D7305C1A0315A59B7B6F12A652D409F1E53077	3C7677231B2B2E41865F2772B97F2ED21235A6D3377A5C18A66D66ABB5F289C5
C:\Users\user\AppData\Local\Temp\mail-forward.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	3D4B275979C1C90F8802E34E1AE6BB03	13596B93FB14BE97D6275CCE43969935DEA3762C	2D547F84EA8DF35ECAAF5F4CDB92CA50488514174CF77A2B955D7CD4E0660B9F
C:\Users\user\AppData\Local\Temp\mail-reply-all-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	4FD7AA500BD09F4AE3D4D0951D56B095	215730E32EE69DBA4A8CCF190D16903C51803C3C	B34B352C04C4578B1130C979A3571DBF058BC939CDC45723E479BCE27D80B7A5
C:\Users\user\AppData\Local\Temp\network-cellular-disabled-symbolic.svg	SVG Scalable Vector Graphics image	5CD531D175E59C4A36AC0025E613F689	62F4DF65A5F6E3DE4A89774953F9C41FA9A0A4AA	41B4A84FD5B41F294B59E4CB4D9B76C6ACF4E5066C6AB9E458BEFEF116525B0C
C:\Users\user\AppData\Local\Temp\nsmF740.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8

Windows Analysis Report
QT_0948765446-NMPMUST-9876563783.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report QT_0948765446-NMPMUST-9876563783.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
QT_0948765446-NMPMUST-9876563783.exe